Tricking BuildKit into Removing Host Files
CVE-2024-23652

10CRITICAL

Key Information:

Vendor: Moby
Status: Buildkit
Vendor: CVE Published:; 31 January 2024

What is CVE-2024-23652?

A vulnerability exists in BuildKit, a toolkit for converting source code into build artifacts. This security flaw arises when a maliciously crafted BuildKit frontend or Dockerfile using the RUN --mount feature is executed, leading to potential unauthorized removal of files from the host system rather than just the container. Versions of BuildKit prior to v0.12.5 are impacted by this issue. Developers are advised to avoid using BuildKit frontends sourced from untrusted origins and to exercise caution when building Dockerfiles that utilize the RUN --mount directive. The issue has been addressed in BuildKit version 0.12.5.

Affected Version(s)

buildkit < 0.12.5

References

https://github.com/moby/buildkit/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/moby/buildkit/pull/4603

x_refsource_MISC

https://github.com/moby/buildkit/releases/tag/v0.12.5

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 31, 2024
Vulnerability Reserved
Jan 19, 2024

Moby

What is CVE-2024-23652?

Affected Version(s)

References

CVSS V3.1

Timeline